CVE-2018-12123

CVSS v3.1 4.3 (Medium)

CVSS v2.0 4.3 (Medium)

EPSS 0.12 % (48^th)

Affected Products 1

Advisories 9

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

Weaknesses

CWE-115: Misinterpretation of Input
CWE-20: Improper Input Validation

CVE Status: PUBLISHED
CNA: Node.js
Published Date: 2018-11-28 17:29:00
(5 years ago)
Updated Date: 2022-09-06 17:56:06
(2 years ago)

Affected Products

Nodejs

Node.js

Configuration #1

	CPE23	From	Up To
Nodejs Node.js from 6.0.0 version and prior 6.15.0 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 6.0.0	< 6.15.0
Nodejs Node.js from 8.0.0 version and prior 8.14.0 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 8.0.0	< 8.14.0
Nodejs Node.js from 10.0.0 version and prior 10.14.0 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 10.0.0	< 10.14.0
Nodejs Node.js from 11.0.0 version and prior 11.3.0 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 11.0.0	< 11.3.0